I just wanted to add that this can be a security hole as well. Always escape string values from the client or use the command object and parameter collection....